1. Field of the Invention
This invention relates to a method of network communication. In particular, it enables multiple hosts to share a common IP address using NAT while taking advantage of the security offered by IPsec. Most of the abbreviations used in this specification will be familiar to those skilled in the technical field, so their definitions will not be placed into the body of the text; however, a glossary is provided at the end of the description.
2. Background of the Art
It is generally considered that NAT and IPsec are incompatible protocols. This is because UDP encapsulation of IPsec ESP Packets suffers from conflicts in transport mode when multiple clients behind a NAT device want to communicate with the same server. This transport mode conflict creates a one-session behind one-IP-address restriction for remote client access solutions using IPsec/L2TP when L2TP is secured using IPsec transport mode.
Private networks are commonly connected to the public Internet through one or more NAT routers so that hosts on the private network can communicate with hosts on the Internet. For hosts to receive packets from the Internet, hosts require a globally unique 32-bit public IP address. To help preserve the limited public Internet addresses, private networks can allocate IP addresses from address ranges reserved for private networks. Hosts on the private network, when communicating with hosts on the Internet, do so through a NAT router, which is assigned, either statically or dynamically, one or more public IP address. The NAT router enables the hosts in the private network, behind the NAT router, to share the NAT router's public IP addresses when communicating with hosts on the Internet.
Virtual Private Networks (VPNs) provide the ability for remote hosts to communicate with hosts on a private network by means of establishing a secure tunnel over the Internet. One standard method of achieving this is through the use of PPP over L2TP over IPsec.
In the scenario where a remote host is behind a NAT router, the establishment of an IPsec tunnel becomes problematic because there is an intervening device that is modifying the packets. To support IPsec tunnels between devices that are separated by a NAT router, the devices can employ NAT-Traversal (NAT-T) in the negotiation of IKE and subsequently encapsulate IPsec packets in UDP. However, when NAT-T is used in combination with L2TP over IPsec, a transport mode conflict arises when more than one session behind a NAT-router attempts to connect.
Given that one of the primary reasons for the deployment of NAT-routers is to enable a small number of public IP addresses to be shared by a larger number of hosts, this is a considerable disadvantage. It would therefore be desirable to enable the establishment of L2TP over IPsec tunnels by multiple hosts behind a NAT-router.
Methods built-in to a security gateway, where the IPsec tunnel is terminated, can be implemented to solve the transport mode conflict. In practice, built-in solutions are not available.